Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:

3 comment

First of all – I love your site, with all your scripts, tips and tricks. Just a thought, wouldn’t it be “safer” to use “/etc/rc.d/pf reload” rather than “/etc/rc.d/pf restart” – i’m kinda new a this, but during my tests, if I issue a restart while connected through SSH, my connection is dropped, while reload seems to accept my changes, while keeping my connection.

I have being doing something similar for my own FreeBSD systems, highly recommend. There is a few things you may want to take into consideration here.

1) If you are going to utilize FreeBSD’s periodic system this setup should be modified to work within the framework. All custom editions to periodic scripts should be placed in ‘/usr/local/etc/periodic/*’ In this case ‘/usr/local/etc/periodic/daily’ would be suitable. You will also want to add control for the running of the script in the /etc/periodic.conf file. Below I have done a re-write of your 10.drop-lasso file.

2) Typically you want to avoid doing a restart on a firewall if it isn’t necessary. Since we are dealing with a table PF allows for a load of just the tables without a complete ruleset reload. This is accomplished by using pfctl. For example: pfctl -Tl -f /etc/pf.conf will do the reload on all tables in PF. Note: You can add -v to get more verbose output on the tables being reloaded. I have adjusted the script to use this instead of doing a full restart